Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Check if Your Home Router is Vulnerable

At Wordfence, we make a firewall and malware scanner that protects over 2 million WordPress websites. We also monitor attacks on those sites to determine which IPs are attacking them and we block those IPs in real-time through a blacklist.

Half of the internet service providers we analyzed have routers with a very specific vulnerability. This vulnerability is known as the “misfortune cookie”. We will call it the MC vulnerability for short. It has been known for a few years and was first disclosed by CheckPoint in 2014. It is now being used to hack home routers. Using the tool below you can tell if you have the MC vulnerability.

The MC vulnerability exists in a service that your ISP uses to remotely manage your home router. That service listens on a “port” number, which is 7547. Besides the MC vulnerability, this port can have other vulnerabilities, one of which was disclosed a few months ago. Researchers have been discussing the dangers of port 7547 in home routers for a few years now.

Your ISP should not allow someone from the public internet to connect to your router’s port 7547. Only your ISP should be able to access this port to manage your home router. They have the ability to configure their network to prevent outsiders from accessing that port. Many ISPs do not block public access to port 7547.

You can use the tool below to determine if your port 7547 is open to the public internet. If it is, we suggest you contact your ISP and ask them to prevent outsiders from accessing that port on your home router. Even if you aren’t vulnerable to one of the two vulnerabilities we posted above, future vulnerabilities may emerge on port 7547. By blocking public access you will protect yourself and your home network.

Check if you are vulnerable

To use this tool, simply click the ‘Scan me’ button and we will check the IP you are visiting this site from to determine if port 7547 is open on your router and if it is vulnerable to the misfortune cookie vulnerability.

This test attempts to connect to your home router port 7547 to see if it is listening and it grabs the response from that port and analyzes it. It is quite safe and if your port 7547 is publicly available, it already receives many scans like this every day from hackers and security professionals.

What to do with the results

Immediately reboot your home router. This may flush any malware from your home router.

Upgrade your router firmware if you can to the newest version. Close port 7547 in your router config if you are able to. (Many routers don’t allow this)

If you can’t upgrade your own firmware, immediately call your ISP and let them know you have a serious security vulnerability in your home router and you need help fixing it. You can point them to this blog post (the page you are on) and this CheckPoint website for more information. Let them know that your router has a vulnerability on port 7547 in “Allegro RomPager” that can allow an attacker to access your home network and launch attacks from your router on others.

Run a virus scan on all your home workstations.

Update all home workstations and devices to the newest versions of operating system and applications or apps.

Update any firmware on home devices where needed.

If you are not vulnerable, but port 7547 is open on your router, we recommend that you:

Reboot your home router immediately. You may suffer from other port 7547 vulnerabilities.

Contact your ISP and let them know that port 7547 on your home router is accessible from the public internet. Let them know that port 7547 is used by your ISP to manage the router. It should not be publicly available. Suggest that they filter access to that port to prevent anyone on the public internet accessing it.

How you can help

According to Shodan, a popular network analysis tool, over 41 million home routers world-wide have port 7547 open to the public internet. We are trying to get the word out to home users and ISPs to block this port and patch any vulnerable routers. This will help reduce attacks on the websites we protect and, far more importantly, it will help secure over 41 million home networks.

We found over 10,000 infected home routers in Algeria who use Telecom Algeria for internet access. These are home networks that have already been hacked. We found over 11,000 hacked home routers in India with BSNL, another major ISP in that country, where the routers have already been hacked. Let’s help secure our fellow internet citizens and prevent others from having their home networks compromised.

You can help by sharing this post and empowering home users to check if they are vulnerable. They can then contact their ISPs with the information and this will gradually cause ISPs to close port 7547 to outside access and to disinfect and patch vulnerable routers.

Mark, I'd like to extend to you my sincerest thanks for informing the public about such vulnerabilities time and time again. Your data studies and reporting is excellent.

I've been a Wordfence user for a while now and been reading your newsletter and blog since then. You always share some unique data in the WP security sphere and educate the netizens in what needs to be done to stay safe.

I thought to myself if the free version was this good, how good the premium be? Well, I did subscribe to WF premium, and since then I am pretty relaxed when it comes to WordPress security.

My two primary needs (a firewall and a 2-factor auth for all users) both are handled beautifully by WordFence. On an average, I used to get anywhere between 10-50 brute-force login attempts daily, from IPs all over the world. This article explains how the hackers can automate and manage this process so well. Well, I'm sure this is just one of the techniques they use.

I'm glad I am using WordFence as I can laugh as those waves of brute force attempts crash against the WF firewall, Dual-factor authentication.

Educate yourself and follow the best practices, that's what I always say to our readers. Thanks for leading the way.

Yes. It will check whatever your public IP is for your mobile connection. So if you're using your home WiFi on a mobile device, it will check your home router as intended. If you're at a coffee shop, it will check their router. If you're connected via a VPN, it will check the exit node for the VPN, not your home router. If you're at the office, it will check the public IP for your office connection and if that's a router, it will let you know if that is insecure.

Thanks very much for this helpful tool and your regular and very interesting newsletter /reports. Your report is one of the few newsletter that I read every time. Your premium version is worth every penny and I will strongly recommend it.

Yes we think these routers were exploited by CheckPoint's misfortune cookie vulnerability. I haven't read the post you linked to yet but can see MC referenced in the link (sorry, short on time). I'd also add that there's a new port 7547 (TR-069 service) exploit doing the rounds and more will emerge. They really should block the port from public access.

Is the message "Your router is safe" unrealistically reassuring? Would it be more accurate to say "Your router's port 7547 is safe" since that's the only test performed and other vulnerabilities may still exist?

The article is very clear and the first wave of users (mostly developers) understand it. But when average users test it (which hopefully will happen), many will only look at the button and the response without the context and misinterpret it as a clean bill of health.

Great information and have passed along the informative article to my clients. Email alerts and emerging threats are great to receive. Thank you for keeping us informed and above all, your product! Michael

I checked my router with your scan and was informed that I have an open port. I then checked with my internet provider, BT and was informed that the open port poses no threat at all and I should ignore it? So now I have conflicting information and I am not sure what to do about it. I cannot see any way to close the port in question and BT are saying that I shouldn't even bother trying as it poses no threat to anyone?

Port 7547 is the Comcast public access Wi-Fi installed in over 16 million routers worldwide. I had already contacted them regarding hacking possibilities. They say it cannot happen. Of course, I am a realist. Anything can happen. One fixes vulnerabilities and the hackers learn how to do something new. It is simply a case of staying ahead of the chase. I would humbly like to add that all users of modem/routers install very strong passwords to login, as well as, for Wi-Fi registration. Sadly, there isn't much more that I can do in this case. While logged into the modem, I did see your tool test and DHCP IP address. In sum, there is not more I can do without upsetting the gateway 'apple cart'. Thank you very much Mark. I am considering your request for part-time engineers to help Wordfence. I have also checked my website and with multiple anti-malware software, I have any changes going to my inbox, automatically. Thank you, again for a great service. Sincerely, Ed Smith

Well this post was something that everyone could use. I really like that your team is willing to expand the scope to the masses, not just WordPress users. It's a great idea to help protect the public from having their equipment from being compromised which in turn helps protect our websites. Now if we could somehow replace Log/Pass for something better. ;)

I did the check and it said I was vulnerable but the warning code mentioned "Cisco..." I don't use a Cisco router. My Xfinity/Comcast modem/router is made by Arris. I called Comcast and they said none of my ports are open. I'm not sure what to do. I see others reporting that Xfinity is vulnerable. How do we tell Comcast this?

Can you please email me your public IP address and the exact data you got from our check tool. You can use whatsmyip.org to get your public IP. So check your IP and then re-verify what you saw, and then shoot me an email at mark@wordfence.com. I can investigate further and will share (privately) what we find.

You guys are the best. Every time I think ok they are on top you come out with something better. It is amazing that you compete with yourself to keep out doing yourself. That is a sign of a true leader.

Your work is truly amazing, guys!
Almost makes me feel guilty for only using the free version ; )
Even though my router was not on the list, yesterdays post made me check my firmware version, and to my dismay discover that I never upgraded it when I installed my new router a few months ago! Ah well, unpleasant as it was to have to take time to do it, now it's done and I'm glad I did it - you never know...
Cheers
Lars

Hi Mark,
I found your plug-in through the Wordpress forum when I was having some issues with my site crashing. I've installed Wordfence on my site and it found some malware which had been causing some problems.
I'd like to thank you for the work you do to keep our sites safe and for providing these additional products to check our system to make sure they're not infected.
Thanks so much!
Cathy Rust

Wow, tested last night and found my home router, provided by COMCAST, did have the vulnerability. Took almost an hour on the phone with them to get this resolved. I would guess that most of the COMCAST provided routers are configured the same (yikes!).

Another way to check your router for vulnerability and others is to use the utilities at https://www.grc.com. As always you stimulate me to ask more questions. Couldn't Internet Service Providers block all access external to their network to port 7547?

I hope you are working with ISPs to encourage them to clean up their vulnerabilities.

Many thanks Mark, the scan was very useful. I live in one of the listed countries, have a ZyXEL modem-router and an ISP with abysmally poor support. Last week I had some Internet issues and tried to access my modem-router and could not. I ran your scan with the result "Your router is vulnerable. The port returned: RomPager/4.07 UPnP/1.0"

After ensuring I had all the settings needed, I did a reset and was able to gain access. On the Admin page I found: http://acs.telkom.net:9090/web/tr069 and a field for the port which was filled with 7547. The field could not be empty so I entered a figure above 50000 and tried the scan again. This time the massage was: "Your router is safe". Another door closed! Thank you again!

I spent half an hour on the telephone to my ISP Customer Service, but even after reaching a supervisor I realised that I was wasting my time, so I tried to get an e-mail address for someone to contact, but was told the only one was @customerservice. From experience I know that the mail box is always full.

I decided to check for firmware updates at Zyxel and found that the exact model of my router was not listed. There are hundreds of thousands of the same model in this country. Without a listed Model No., you cannot open the message field. I picked the closest one and entered the Serial No. and the SN(??), explained the issue in detail and clicked Send. A few minutes later, I received an e-mail: lUndeliverable: Zyxel【Contact Support】Delivery has failed to these recipients or groups: ZySG-Support@zyxel.com.sg!!! Checking Whois told me the server was in Taiwan, so complained to the postmaster and admin, but probably a waste of time.

Thanks for the post :) - I had updated my firmware on my affected Zyxel router but being naive/stupid I didn't actually test it after update - I just assumed it worked. Turns out it didn't as this page and other apps flagged it up.

Having been back and forth with their support and two further firmware updates (their contact form is buggy if you try and contact them - sometimes the form company field needs to be left empty and the attachment field clicked but left empty) they want me to block the 7547 port manually. At the moment followed their documentation link they sent the port is still vulnerable.

So waiting to see if they can help me again if it still persists I guess I'll have to buy a new router.

I'm doubtful that you're connecting to your own router. Wondering if there's a way you can verify it's actually your own router you're connecting to. Can you login to it and check what IP it has received on it's WAN interface and then try telnetting to port 7547 on that IP?

Thanks for this post and free online tool to check if my homes router is insecure and how to make it secure if it is. This is the type of post & tool that I will take the time share on all the platforms I am associated with.

I ran the test and it tells me I have port 7547 open.
I login to my router and find no way to block the port.
I call Comcast/Xfinity to ask to have port 7547 blocked.
The tech tells me I am 100% safe because Port Forwarding, Port Triggering, and Remote Management are all disabled.
Does this sound reasonable?

Thanks for going to the trouble to provide the scanner. Fortunately, we came up safe. However, you have no way of knowing, and being provided an easy tool to find out is worth our gratitude many times over.